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Abstract 

Let ¥q be a finite field and let b and A'' be integers. We study the 
probability that the number of points on a randomly chosen elliptic curve 
E over equals 6 modulo A^. We prove explicit formulas for the cases 
gcd(A'^, g) = 1 and A'^ — char(Fg). In the former case, these formulas 
follow from a random matrix theorem for Frobenius acting on the A'^- 
torsion part of E, obtained by applying density results due to Chebotarev 
to the modular covering X{N) ^(1)- As an additional application to 
this theorem, we estimate the probability that a randomly chosen elliptic 
curve has a point of order precisely A'^. 

1 Introduction 

If one writes the number of rational points on an elliptic curve E over a finite 
field ¥q sls q + 1 — T, then the integer T is called the trace of Frobenius of 
E. Hasse proved that T S [~2y/q,2y/q], but within this interval the trace of 
Frobenius is an unpredictable number, seemingly picked at random. Since the 
1960's, its statistical behaviour has become subject to extensive study. 

To make the problem well-defined, the best-known approach is to fix an 
elliptic curve E over a number field K, and to consider it modulo various prime 
ideals p C Ok of good reduction. Based on experimental evidence, Sato and 
Tate conjecturally described how the traces of Frobenius of E mod p are — 
after being normalized by 2y^N{p) — distributed along [—1,1]. See [5] for the 
details and an introduction to the recent progress on this subject. 

Another approach is to fix the finite field Fg, and to consider all F^-isomor- 
phism classes of elliptic curves E over it. Their traces of Frobenius Tg define 
a discrete probability measure fiq on {— [2^J, . . . , [2ygJ}. As above, one can 
normalize to obtain a distribution p,q on [—1, 1]. Birch ,4J and Deligne [H 3.5.7] 
proved results on the limit behaviour of p,q as q tends to infinity, thereby lending 
support for the Sato- Tate conjecture. However, not all is said with this: some 
remarkable properties, related to the discrete nature of fj,q, become dissolved in 
the limit procedure. As an introductory exercise, the reader is invited to show 
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that when q is odd, Te favours even numbers. This is related to the fact that 
a randomly chosen cubic polynomial f{x) S ^q[x] has a rational root with a 
probability that tends to | as g gets big. This phenomenon illustrates the more 
general fact that for any positive integer N, the probability that #i?(Fg) = 
g + 1 — Te is divisible by N tends to be strictly bigger than . Lenstra was the 
first to observe this, and proved in [TH] explicit estimates in the situation where 
A'' is a prime number different from p = char(Fq), by using modular curves. 
His work was generalized to arbitrary N by Howe [l^ , and has implications for 
integer factorization [19] and cryptography [lO] . 

In this paper, we further generalize Lenstra's work. For an arbitrary integer 
N>2 and t S {0, 1, . . . , N-1}, write Pq,N{t) for the probability that Te mod N 
equals t. We prove 

Theorem 1 Write N = p™ ■ ■ ■ t^'' where the £i are pairwise distinct 
primes different from p. 

(i) If gcd{N,p) = 1, then Pq^N converges to a multiplicative arithmetic func- 
tion in N, i.e. 

lim I PqMt)-f[Pq it ^od en] ^0- (1) 

If N = for a prime p, then there is an explicitly described function 
93 : Z — > Z for which 

gcd(g.N) = l \ {, {, / 

In case £ > 3 and n = 1 we have (p : x 1—^ £'^ + £, where (7) is the 
Legendre symbol. See Section^ for the definition of ip in the general case. 

(a) If N = p, then 

lim P„k jv(0) = and lim P„fc j^(t) = ift^O. 

Explicit error terms are given in Section [4] and Section [5l 

Note that if N is an arbitrary pth-power p" {n > 1), then (ii) trivially 
implies limfe^oo ^'p* ,jv (0 = whenever t = mod p. Numerical experiments 
suggest that the other traces are again evenly distributed: 

lim Ppfc.Ar(t) = — — 3—- if i ^ mod p. 

k^oo p"- — p" ^ 

This can be made rigorous for < = ±1, following Howe [141 Theorem 1.1] and 
using quadratic twisting. Our numerical experiments also suggest that the inde- 
pendence expressed in ([T]) extends to arbitrary N, i.e. including p | N. Together, 
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this would give a complete description of the distribution of Te mod N (as q 
tends to infinity). 

The case gcd{N,p) = 1 is obtained from an equidistribution theorem on 
matrices of Frobenius acting on the TV-torsion group E[N] of E. Recall that 
E[N] ^ Zn® Zn, where Zn abbreviates Z/(7VZ). Then the gth-power Frobe- 
nius action on E[N] determines a unique GL2(ZAr)-conjugacy class of ma- 
trices having determinant q. Denote the subset of GL2{Zn) consisting of all 
matrices of determinant q by Mq. Then the theorem reads: 

Theorem 2 Fix a conjugacy class T C GL2(^Ar) o/ matrices of determinant q. 
Let E be a uniformly randomly chosen ¥q -isomorphism class of elliptic curves 
over ¥q. Let Pjr be the probability that Te — T . Then 



*Mq 

where C € M>o is an absolute and explicitly computable constant. 

In other words, if q gets big, a Frobenius conjugacy class becomes as likely as 
its own relative size. See Section [3] for more details on the constant C. 

In its above form, Theorem [5] seems new and fits in the random matrix phi- 
losophy that dominates nowadays research on the statistical behaviour of Frobe- 
nius, both in the Sato- Tate setting (fixed curve, varying field) as in the Birch- 
Deligne setting (fixed field, varying curve). This was initialized by Deligne, who 
obtained his above-mentioned result as a consequence to an equidistribution 
theorem in etale cohomology. The random matrix idea has proven to provide 
well-working models for higher genus analogues of the Frobenius distribution 
problem [17l [18], although many statements remain conjectural. We refer to 
the book by Katz and Sarnak [17] for more details. This book also contains 
a refinement of Deligne's equidistribution theorem [17^ 9.7] which was used by 
Achter to prove a variant of Theorem [5] that works in arbitrary genus |H Theo- 
rem 3.1]. However, Achter's result has a worse error bound and imposes certain 
weak restrictions on q and N. Our attention will be devoted to a more elemen- 
tary approach, based on the modular covering X{N) and (parts of the 
proof of) Chebotarev's density theorem for function fields. 

As an additional application to Theorem [21 we investigate the probability of 
a point of prescribed order coprime to q. 

Theorem 3 Let N > 2 be an integer coprime to q, and write N — £^^£2^ ■ ■ ■ 
where the £i are pairwise distinct primes. Let E be a uniformly randomly chosen 
¥ q-isomorphism class of elliptic curves over¥q. Write Pq{N) for the probability 
that E has a point of order N . Then 

(i) P'q converges to a multiplicative arithmetic function, i.e. 

lim (p'q{N)-X{P'^{£r)\=Q. 
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(ii) If £ ^ p is a prime number, qq and 71 > 1 are integers with go ^ mod £ 
and V is the £-adic valuation of qo — 1, then 

Jim (P^(r)-0,,.) =0. 

q = qQ mod l'^ 

where Ot^ equals 1/(^-^-2) if > n and (£2i^+i + l)/(£"+2^+i_r+2'>-i) 
in the other cases. 

An explicit error term is given in Section [SI 

It is worth remarking that several questions related to Theorem [T] and The- 
orem [3] were already posed by Gekeler in the weaker set-up where Fg is a large 
prime field that has to be chosen at random; he studied the distribution of 
Frobenius traces [11] and various probabilities such as E[£°°]{¥q) having a given 
structure or E{¥q) being cychc [121 US]- The latter probability has also been 
studied by Vladulj in case is fixed [H], using Howe's work. Still for F, fixed, 
Galbraith and McKee conjecturally estimated the probability that E{¥g) is a 
prime number [lOj . Achter and Sadornil studied the chance that E has a given 
number of rational isogenics of given prime degree emanating from it 3 . For 
higher genus curves C/¥q, Achter gave explicit estimates for the chance that 
3ac{C)[N]{¥q) has a given structure [HH], and Chavdarov proved that the nu- 
merator of the zeta function Zc {T) is generically irreducible [Hj ■ 

The article is organized as follows. Section[2]recalls the necessary background 
on modular curves, Section [3] contains the proof of Theorem [2] and we use this 
in Section[4]to deduce Theorem[l]for the case gcd(iV,p) = 1. Section [5] contains 
the proof for the case N = p. Finally, Section[B]contains the proof of Theorem[31 
We also include an Appendix, which recalls certain facts about twisting, and 
which discusses some disambiguations on what is meant by a randomly chosen 
elliptic curve. 

The authors are very grateful to Hendrik W. Lenstra for his suggestion to 
consider Chebotarev's density theorem for the proof of Theorem [2] 

2 Background on modular curves 

An implicit reference for this section are the lecture notes by Deligne and 
Rapoport 8J and the earlier work by Igusa [1^1 [S] on which these build. 

Let Fp be the finite prime field with p elements, and let be a positive 
integer, coprime to p. Fix a primitive A^th-root of unity C^v G Fp. Consider all 
triplets {E,P,Q), where E denotes an elliptic curve over Fp, and P,Q ^ ElN] 
satisfy eN{P,Q) = Cn- Here 

Cat : E[N] x E[N] {A^th-roots of unity} 

is the Weil pairing, see TO, ni.§8]. Two triplets {E,P,Q) and {E',P',Q') are 
called equivalent if there exists an Fp-isomorphism E E' mapping P to P' 
and Q to Q' . As a special instance, using multiplication by —1, we have that 
(E, P, Q) is equivalent to {E, -P, -Q). 
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The set of equivalence classes of such triplets can be given the structure of 
a nonsingular afhne curve Y{N). Note that Y(l) merely parameterizes elliptic 
curves by their j-invariant; it has the structure of the affine line A^. The 
nonsingular completion of Y{N) is called the modular curve of level N and is 
denoted by X{N). In particular, X{1) can be identified with P-'^. The natural 
covering 

Y{N) : (E, P, Q) j{E) 

extends to an algebraic morphism ij} : X{N) — > P^, which is Galois, with Galois 
group PSL2(Zjv). On Y{N) this group acts through 

{E, P, Q) = {E, aP + /3Q, jP + 5Q). (2) 

The morphism ip is ramified at (and only at) j = 0, 1728, oo. The genus of 
X{N) equals 1 + #PSL2(Z7v) • {N - 6)/12N. 

The construction of Y(N) primarily provides a model that is defined over 
]Fp(C-/v)- To remedy this, one repeats the above construction for all primitive 
A^th-roots of unity. The union again parameterizes triplets {E,P,Q) modulo 
equivalence, but now one only imposes that {P,Q) is a basis of E[N]. Up to 
tensoring with ¥p((^]^), this union is what Deligne and Rapoport denote by QK^v- 
It is a reducible scheme decomposing into (p{N) copies of Y{N). Similar to 
we have an action of 




H = 




on DJl% (8) Fp(C7v) which connects these components horizontally: every orbit 
{(E,P,Q)} contains a unique point of each component. The quotient under 
this action can thus be identified with Y{N), and realizes it as a curve over the 
fixed field Fp(^jv)'^''*^, where a S detH acts on Fp(^jv) as (n Cn- Hence it 
realizes Y{N) as a curve over Fp. As a consequence, X{N) is defined over Fp, 
and this also accounts for the morphism X{N) -'^(l). 

From now on, let F^ D Fp be the finite field with q elements, and consider 
X{N) as a curve over Fg. Then it is endowed with a gth-power Frobenius action 
E, where some caution is needed in describing it explicitly. Let a € Gal(Fg,Fg) 
be the usual gth-power Frobenius automorphism. Then the map {E, P, Q) i— > 
{E"^ , P'^ ,Q'^) is not well-defined on Y{N), as it does not preserve the Weil 
pairing. However, the iJ-orbit of {E°' , P"^ ,Q°') contains a unique representant 
on which the Weil pairing acts properly, and this is 

I](^;,F,Q) = (^;^<7-lp^Q^). (3) 

We end by commenting on the algebraic side of the above story, whilst fixing 
notation. The coordinate ring R of 1^(1) (over F,) equals ¥q[j], in which the 
formal variable j can be seen as a universal j-invariant. Its field of fractions will 
be denoted by K, while the function field of Y{N) (over F^) will be denoted 
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by L. The morphism X{N) X{1) corresponds to a field extension K C L, 
which is normal and separable with Galois group PSL2(^Ar). We will write 
for the genus of L, which is 1 + [L : K] ■ {N — 6)/12N. The integral closure of 
R in L can be identified with the coordinate ring of Y{N), and will be denoted 
by S. Here is a summarizing diagram: 

¥,[j] ^ R C K = F,(j) 

n n 

Fjy(iV)] ^ S d L = ¥,(Y{N)). 

From now on, an elliptic curve with j-invariant jo G will always be denoted 
by Ej„. 



3 The distribution of Frobenius matrices 



We will now prove Theorem [21 by applying density results due to Chebotarev 
to the modular covering X{N) -^(1)- Our main reference for the proof of the 
Chebotarev density theorem is [H Section 5.4]. 

Let jo E ¥q. A triplet £ = {Ejg,P,Q) on the modular curve Y{N) corre- 
sponds to a maximal ideal mg in S ^¥q. Define Pf := n S, which can 
be viewed as a closed point of Y{N) as an F^-scheme. Suppose that Pf is 
unramified over K, which is equivalent to the condition jo ^ 0, 1728. As ex- 
plained in [21 Section 5.2] we can associate to Pg its Frobenius automorphism 

G Gal{L / K) . With p^- := Pg n R this automorphism is uniquely deter- 



L/K 
Pe 



mined by the condition 



L/K' 



pAf(P£) mod P* 



for all X E S. 



We note that jo e ¥q implies that pf = (j — jo) and hence N{p£) = q. Geo- 
metrically, the above condition means that if 



is the set of points of Y{N) (maximal ideals of S'(8)Fg) above Pe, then 
PSL2(.^Ar) permutes this set, in the same manner as S does. If P' is another 



L/K 

P£ 



prime ideal of S above p£ , we have that the Frobenius automorphism 



conjugated to 



L/K 
Pe 



The Artin symbol 



L/K 
P' 



IS 



of p£ is then defined as the conjugacy class of 
now formulate our main tool. 



L/K 
Ps 



in Gsi\{L/K). We can 
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T. Then we 



Lemma 1 Choose t G Ga\{L/K) ~ PSL2(^jv)- Let A denote the set of points 
£ = {Ej„,P, Q) e Y{N) for which jn e Fg\{0, 1728} an 
have 



L/K 



We postpone the proof to the end of this section. Now recaU that Y{N) pa- 
rameterizes triplets {Ejg , P, Q) up to F^-isomorphism, whereas we are interested 
in triplets up to Fg-isomorphism. Using that all jo € F,\{0, 1728} correspond 
to two elliptic curves over Fg (related to each other by quadratic twisting, see 
Corollary [3] in the Appendix below), we get the following result. 

Corollary 1 Suppose N > 2. Choose F G GL2{Zn) such that detF = q. Let 
B denote the set of triplets {Ej^, P, Q) up to ¥ q-isomorphism for which 

(i) Ejf^ is an elliptic curve over ¥q with j -invariant jo ^ 0, 1728, 
(ii) the points P^Q G Ej^[N] satisfy eN{P,Q) = Ca^; '"^'^ 

(Hi) the matrix of qth-power Frobenius on Ej„[N] with respect to the basis 
(P, Q) equals F. 

Then we have 

\ifB-q\ < iA[L:K]+AgL + 2)-^. 

Proof. Let r e PSL2{Zn) and suppose that T e SL2{Zn) reduces to t mod 
• ;±Id}. Every point £ = {Ej„ ,P,Q) € Y{N) for which jo e F, \ {0, 1728} and 

-^p^j — r, corresponds up to Fq-isomorphism to precisely two triplets, namely 
{Ejg^ P,Q) and its quadratic twist. Their gth-power Frobenius matrices differ 
by sign and are equal to 

" " T eGL2{ZN) 

(see ([3]) and the discussion preceding Lemma [Ij. Conversely, if we start with a 
triplet (i?j„ ,P,Q)e B, we find 

-1 

■F ePSL2(Zjv) 

as the Frobenius automorphism -^^^ e Gal{L/K) associated to the point 





£ — {Ejg,P,Q) e Y{N). This induces a bijection between B and the set A of 
the previous lemma (for an appropriate choice of r). □ 

Note 1 If iV 2, then Id = -Id in GL2{Zn). Therefore {Ej„,P,Q) and its 
quadratic twist correspond to the same Frobenius matrix, so we have ^B = 
2^A. In the proof of Theorem |4] below, this is compensated by the fact that 
#SL2{Zn) = 2#PSL2(Zjv) if > 2, whereas ^SUiZN) = #PSL2(ZAr) if 
= 2. 
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We can now state and prove our main theorem. 



Theorem 4 Denote with Aiq the subset ofGh2{ZN) of matrices with determi- 
nant q, and let J- be a G1j2{Z M)-conjugacy class in this set. Let Ej^ represent 
a uniformly randomly chosen ¥ q-isomorphism class of elliptic curves over ¥q, 
and let Te C GL2(Ziv) be the conjugacy class determined by the action of 
qth-power Frobenius on Ej^ [N] . The probability Pjr that ^Ej^ — J' satisfies 



#Mq 



< 



#Mq 



(4[L : K] + 4gL 



1 23 
2 — + -. 



The estimate in the theorem is easily seen to be 0{N'^q~^^^), which gives an 
idea about how large q has to be with respect to N in order to find a meaningful 
result. 



Proof. We suppose N > 2 (see Note [T] for the case N = 2). The set W of 
(Fg-isomorphism classes of) elliptic curves over has 2q + d elements, with 
< S < 22 depending on the finite field F^; see Corollary [3] in the Appendix 
below. Denote with V C W the set of elliptic curves Ejg for which ^Ejg = ^■ 
By Corollary [3l V contains at most e < 24 elliptic curves with j-invariant or 
1728, and all other curves in V correspond to #PSL2(ZAr) tuples {Ejg,P,Q) 
(with eN{P,Q) = Cn) up to F^-isomorphism. Combined with the definition of 
B from Corollary [H this gives the equality 

(#y-e)-#PSL2(Z^) = #i?.#.F. 

Now we can compute Pyr as follows: 



#W {2q + 5)#VSU{ZN) 2q + 6 
A first estimate of this probability is then 



#SL2(Z 



N) 



+ 5/2 



< 



12 



Using Corollary [Hand = ^SL2{Zn) this implies 



V:f- 



#Mq \q + 5/2 
Noting that < #Mq and 



< 



1 



12 



(4[i : K] + AgL ■ 



we finally arrive at 



V:f- 



*Mq 



< 



q + S/2 

12 + 6/2 

q *Mq 



< 



2g' 



{4[L:K]+4gL + 2) — 



1 
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which concludes the proof. 



□ 



We wiU now prove Lemma [TJ Our proof essentially uses the proof of the 
Chebotarev density theorem for function fields as given in Section 5.4 of [S]. 
We remark that Theorem U seems not to follow from the density theorem itself; 
we really need parts of its proof. The reason is that the Frobenius matrix (up 
to sign) corresponding to a point £ = {Ejg,P,Q) G Y{N) and the Frobenius 
automorphism in PSIj2{Zn) associated to the prime ideal Pg C S are only 
related through multiplication by 



e H, 



which tears the conjugacy classes apart when q ^ 1 mod A^. In general, there 
is no bijection between the conjugacy classes of Frobenius automorphisms and 
the conjugacy classes of Frobenius matrices. Note that if g = 1 mod N then the 
above matrix becomes the identity, and it is indeed possible to use the Cheb- 
otarev density theorem rather directly. 




Proof of Lemma [TJ We denote with P{L) the set of prime ideals of S which 
are unramified over K, and let P{K) be the set of prime ideals of R. For 
P G P{L) we write pp := P fl i?, the i?-ideal below P. The conjugacy class of 
T e PSL2(^Ar) wiU be denoted by Mr- Define 



CiiL/K,Mr) 



L/K 



= Mr; deg(p) = l 



Note that the condition deg(p) = 1 is equivalent to the associated j-invariant 
living in ¥q. Let 



Di{L/K,t) PeP(L) 



L/K 



r; pp eC\iL/K,M., 



If we look at 9, Proposition 5.16] and particularly the formulas (15), (16) and 
(17) appearing in its proof, we find with d = [K : Vq{j)] = 1, n — k — 1, qk = 
and m — [L : K] that 



#C^{L/K,Mr)-^^Yq 



From Lemma 5.9(b)] with = Ci(L/JC, A^^) and hence L>i(r) ^ Di{L/K,t) 
we see that 



#Ci{L/K,Mr)=#Mr 



ord(T) 



[L : K] 

We insert this in equation ([4]) and divide by ^A4r'- 



#D^{L/K,t) 



ord(T) 



[L:K] 



#D,iL/K,T) 



[L:K] 



(5) 
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From [HI Lemma 5.9(a)] it follows that the number of points £ = {Ej^, P, Q) S 
Y{N) with m.£ lying above some fixed P S Di{L/K,t) equals ord(T), so that 
our lemma follows from (O, after multiplying both sides with [L : K]. □ 



4 The distribution of Frobenius traces mod 

Let ¥g be a finite field with q elements, take t G Z and let > 2 be an integer 
coprime to q. Using Theorem|4l we will estimate the probability that a randomly 
chosen elliptic curve over has trace of Frobenius congruent to t modulo N. A 
first observation is that this probability converges to a multiplicative arithmetic 
function. Indeed, if N = A - B with A and B coprime, then we have an obvious 
isomorphism GL2(Zjv) = GL2{Za) ® GL2{Zb), and this bijection respects the 
sets of matrices with determinant q and trace t (modulo N resp. A and B). 
Therefore, in order to make the formulas not too complicated, we will confine 
ourselves to = t\ where £ is a prime that does not divide q. 

It is easy to verify that #SL2iZi^) = ^^"-^(f^ _ l). With a G Zi^\{0}, we 
define the valuation ord(a) as the £-adic valuation of a embedded in Z, whereas 
we will put ord(O) = +00. Let for £ > 3 the map ip : Z ^ Z he defined as 
(p — ipo^^ where x : Z ^ Zin is the natural projection and tp : Zg^i — > Z is given 

by 

£2n _^ £2n-i if A is a nonzero square, 

£2n ^ £2n-i _ 2£2n-|-i ^ jg square, k := ord(A) is even, 

£2n ^ £2n-l _ ^ l)£2n-i^ jf ord(A) is odd, 

£2n ^ f2n-i _ £^-1 if A = and n is cveu, 

£2n ^ £2n-i _ if A = and n is odd. 

We refer to the end of this section for the definition of tp in case 1 — 2. 

Theorem 5 Let Fg, t and be as above and define At — Aq. Let E be a 
uniformly randomly chosen ¥q-isomorphism class of elliptic curves overWq, and 
let T be its trace of Frobenius. The probability P{t) that T = t mod satisfies 



Pit)- ^'^ 



I'in „ £3n-2 



4[L:j^]+4g, + 2 7^+23 _ 



Here [L : K] ^ #PSL2(Z^-) and ql ^ I + [L : K]{r - 6)/(12r) as in 
SectionH Note that this theorem implies that P{t) ip{At)/{i^" - i^"-^) for 
q oo under the restriction that q stays in a single congruence class modulo 

Before proving Theorem [5l wc discuss some corollaries. The number of 
rational points on an elliptic curve E over ¥q with trace of Frobenius T equals 
q + 1 — T. Hence we can estimate the probability that £^\^E{¥q) by applying 
Theorem [5] with t = q + 1. Note that then t"^ - 4q = {q - i f mod r. Using 
this, we partly recover the results of Howe [H]. 
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If we suppose £ > 3 and n = I, then the above theorem becomes quite pretty, 
namely 

(j^ if i2 _ 4(7 = in F,, 
P{t) ^ < if - 4g e F,^ is a square, 

[ if — 4(7 e F/ is a nonsquare. 

This generahzes Lenstra's result [12] which states that the probabihty of £- 
torsion approaches — 1) if g = 1 mod £ and l/{£— 1) otherwise. 

The remainder of this section will be devoted to the proof of Theorem [S] It 
suffices to show that the number of matrices in GL2{Zin) with determinant q 
and trace t equals (/^(At), with Aj = — Aq. Indeed, then Theorem [4] implies 
that P{t) satisfies 



Pit) 



<^.(4[L:i^] + 4,. + 2)^+™.^, 



where m is the number of GL2(2^£n)-conjugacy classes of such matrices. Since 
m < ip{At) < £'^" + ^^""1 and #Mq = - ^^""^ the theorem follows. Note 
that the counting of matrices described below was already done by Gekeler [TTl 
Theorem 4.4] for the case n > 2 ■ ord(A) + 2, using different techniques. 

Let ( 2 ) G Gh2{Zen) have determinant q and trace t. A trivial computa- 
tion yields that these conditions are equivalent to the system of equations 

u = t ~ z, xy = — tz + q. (6) 

By completing the square, the above system has as many solutions as 

u^t~ z, xy^z^- At/4, (7) 

provided that t/2 exists modulo Suppose for the rest of the proof that £ > 3 
and A( S Z^n, we refer to the end of this section for the situation £ = 2. Clearly 
all relevant properties (valuation, being a square or not) of Aj and A(/4 are 
the same, hence if we can show that the number of solutions to xy = z"^ — Aj 
equals (/3(A(), we are done. For each value of z, we will determine the valuation 
of — At. Then the number of corresponding solutions {x, y) can be computed 
using the following lemma. 

Lemma 2 Let £ be any prime number, let n € Z>i and a G Z{n. Write 
k := ord(a). Then the equation xy = a has the following number of solutions 
{x,y) in [Zir^Y: 

f(/c+ 1)(£" -r-i) ifa^O, 
|(n+ 1)(£" -r-i) +r-i ifa^O. 

Proof. Suppose a ^ 0, the other case works similarly. We can take x to be 
any number with valuation i e {0, 1, . . . , k}. For each i, the number of such x is 
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pn t _ £n I \ Every choice of x fixes all but the last i £-adic digits of y, hence 
we have t possibilities for y. In total this amounts to 

k k 

^{t-' - r-''^)e = ^(r - 1-^) ^{k + i)(r - 

i=0 i=0 

solutions (x, y). □ 

Another tool will be the following formula, which is easily proven by induc- 
tion: 

Lemma 3 Let £ be any prime number, let n > 1 be an integer and k € 
{0, 1, . . . , n}. Then 

k 

Suppose first that At = and n even. Then ord(z^ — Aj) = ord(2:^) for all 
z, and the number of solutions to xy = — At with ord(z) < n/2 equals 

n/2-l 

(r-* - f-^){2i + i)(r - r-i), 

by LemmaHJ For ord(z) > n/2, we find 

r/2 ((n + i)(r - r--^) + r-^) 

additional solutions. Using Lemma [3] one verifies that the sum of these expres- 
sions equals </?(0). If n is odd, then the reasoning is similar. 

Let us now assume that At is a nonzero square, i.e. Aj = ^^'^A^, where 
2k < n and A is a unit. Under the change of variables {x, y, z) ^ (Ax, Ay, A2;) 
our equation becomes 

xy = z'-e^. (8) 

We will use induction on k to show that ([5]) has </?(At) = -f ^^"^^ solutions. 
For fc = we have xy = z^ — 1. If x is any unit, we have y — x~^{z'^ — 1) and z 
can be chosen arbitrarily. If a; is a nonunit and y is arbitrary, we have 2 different 
solutions z = ±1 modulo £, which can both be lifted to Zi^. In total this gives 

(r - r-i)r + 2r^^r = + £^^^-\ 

Suppose now that fc > 1. There are i'^" — i'^n-i solutions for which x is a 
unit. There are {£" — £^~^)£"~^ solutions for which y is a unit and z — and 
hence x — are nonunits. The solutions for which x and y are both nonunits 
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can be determined using the induction hypothesis. Indeed, a triplet [x, y, z) = 
ilx' ^iy' ^lz'~) satisfies (jS]) if and only if [x'^y'^z') satisfies 

x'y' = z'2 - ^2fc-2 over Z^„-2 , 

which has £2n-4_|_£2n-5 solutions. For each x' £ Zin-2 there are £ corresponding 
values for x — £x' mod and similar for y and z. In total we find then 

£271 £2n— 1 _|_ ^£71 £n—l^£n—l _|_ £3 ^£2n~A £2n— 5^ £2n ^ £2n-~l 

Next, if fc = ord(A() < +00 is odd, we find the following sum for the number 
of solutions 

(fc-l)/2 

(r-' - r-*-i)(2i + !){£ - r^i) + t'-'-'^+^^/^ik + i)(r - r-^), 

which by Lemma [3] equals ip{At). 

Finally, with k even but nonsquare we get 

fc/2-1 

J2 (r-* - e'-'-^){2i + 1){£ - r'-i) + r-'=/2(/s + i)(r - r^^), 

1=0 

and again the result follows from Lemma [31 This completes the proof for £ > 3. 

We end this section by considering the case £ — 2. The appropriate de- 
scription of (fi depends now on its argument mod 2"+^ rather than mod 2". 
More precisely, ip = ijj o x where x '■ ^ is the natural projection and 

tp : ^2^+2 — > Z is partially given by 

if A is odd, 

if A 7^ is even and k := ord(A) is odd, 
if A = mod 2"+^ and n is even, 
if A = mod 2"+^ and n is odd. 

In case A ^ is even and ord(A) = 2fc > is even as well, the definition of tp 
is more complicated. Let D be such that A = 2^''D. Then: 

ifn = 2fc-l: 
if n = 2k, 

if n > 2fc + 1, 



We will now prove that for any i G Z, the number of solutions (over 
to the system ([5]) is precisely ip{At), where At — — Aq. Note first that if t 
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A 



•22n-l 

22" + 22"-i-3-22"-^ 

22n ^ 22"-l - 2^"^ 
2n ^ 22«-l - 2^^ 







V'(A) 


D = 


1 mod 4 


^(A) 


D EE 


3 mod 4 


i:{A) 


D EE 


3 mod 4 


V'(A) 


D EE 


5 mod 8 


V'(A) 


D EE 


1 mod 8 


^(A) 



22n _ 


h 22"- 


1 


-2^, 


22n _ 


h 22"- 


1 


-2^-1, 


22ri _ 


h22"- 


1 


-3-2^-1, 


22ri _ 


h22"- 


1 


- 3 • 22"-*^- 


22n _ 


h22"- 


1 




22"- 


h 22"- 


1 





(or equivalcntly At) is odd, we have that ord(z^ — tz + q) = for aU z. Then 
Lemma [2] gives a total of 

2"(2" - 2"-i) = 22"-i ^(At) 

solutions. 

Therefore suppose that t is even. Then At = mod 4, and it makes sense 
to complete the square in ^ and analyze the system ([7]) instead. As we are 
interested in solutions modulo 2", from now on we will consider At/4 as an 
element of ■ Note that this depends on At mod 2"+^ . Copying the proofs of 
the corresponding cases above, the system ([7]) has (p{^t) solutions if Af/4 = 
(in or if ord(At/4) < n is odd. Hence we assume that ord(At/4) — 2k < n 
is even. Let D e be such that = At/4, li i = ord(2) < k we have 

ord(z^ — At/4) = 2i, so by Lemma [2] and Lemma |3] all such z together account 
for 

K-l 

S ^(2""' - 2"-'-^){2i + 1)(2" - 2"-^) = 2^" + 2^""-^ - (2k + 3)22"-"-! 

solutions (a;,y, z). From now on we assume ord(2:) > k and put z = 2'^z', so 
that our equation becomes 

xy = 2^''{z'^ -D). 

Note that z' is only well-determined modulo 2"^", and that we are interested 
in z'2 - D mod 2"-2k, 

If n = 2k + 1 we have two possibilities: either z' = mod 2, which gives 
2n-K-i^2K + 1)2"-"^ solutions {x, y, z' mod 2""'^), or z' = 1 mod 2, which gives 
2n-K-i^^j^ + 1)2"^^ + 2"^^) solutions. If we add S to these two numbers, we 
find the requested result. 

Let n = 2k + 2, then we have to distinguish between D = 1 mod 4 and 
Z) = 3 mod 4. For example, if = 3 mod 4 and z' is odd, the valuation of 
22kj-^/2 _ j-)^ equals 2k -I- 1, since 3 is not a quadratic residue modulo 4. We 
leave further details to the reader. 

Finally we assume that n > 2k+3. The cases D = 3 mod 4 and D = 5 mod 8 
are similar to the situation n = 2k + 2 above, so we only go into more details 
for D = 1 mod 8. Then we know that D is a square modulo 2""^" and we can 
proceed as in the case £ > 3 and At a nonzero square. However, things work 
differently for the induction step k = 0, i.e. xy = z^ — 1 mod 2", n > 3. As 
the valuation of — 1 cannot be 1 or 2, we have to consider four situations. 
Firstly, ord(a;) — 0, then z can be chosen arbitrarily and we find 2"^^ • 2" 
solutions. Secondly, ord(x) — 1, then ord(?/) > 2 and we can lift the four 
solutions z = 1, 3, 5, 7 mod 8 to which gives a total of 4.2"~^2"~^ solutions. 
Third, ord(x) = 2 and ord(y) > 1 which gives again 2^"~^ solutions. Finally, 
ord(x) > 3 and y is arbitrary, which gives 4 • 2"^^2" solutions. Adding all these 
terms together gives 2^" + 2^"~^ solutions. 
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5 The distribution of Frobenius traces mod p 

Theorem 6 Let p > b be a prime number, let k > 1 be an integer, and let 
t € {1, . . . ,p — 1}. Let St be the set of couples in 

S={{A,B)e (Fp. )2 I 4A^ + 27 ^ 0} 

e T of p^ 
= X'-' + Ax + B satisfies 

Then #5 = p^^ - p^ and 



for which the trace T of p^th-power Frobenius of the elliptic curve defined by 
„2 _ ^3 



T — t mod p 



p-l 



#+1 



J2k 



Proof. We leave it as an exercise to show that fj^S 

For each (A, B) g S, one has that T mod p equals the norm (with respect 
to Fpfc/Fp) of the coefficient ca,b of x^^^ in 

{x^ + Ax + B)'^ 

(see the proof of [20, Theorem V.4.1(a)]). Lemma S] below shows that for every 
7 e Fpfc \ {0}, the polynomial ca,b — 7 is absolutely irreducible and nonzero. 

Now write S^ for the set of couples {A, B) G (Fpk)^ in which ca,b evaluates to 
an element 7 G Fpk \ {0} with norm t (regardless of the condition AA^ + 27 B^ ^ 
0). Note that there are 

p^ - 1 



p-l 



such 7's. For each of these the polynomial ca,b — 7 defines a plane affine curve, 
by the irreducibility proven above. Its degree is bounded by c? = 3(p — l)/2, 
hence its (geometric) genus is at most (d— l)((i— 2)/2, and the number of points 
at infinity is at most d. Therefore the set S'^ C S[ of couples satisfying ca,b = 7 
is subject to 



|#5;-(/ + i)| < {d-i){d-2)V?+d<'-p^-+^ 

by the Hasse-Weil bound. Remark that this includes the singular case, where 
the number of points may become smaller, but the Hasse-Weil bound tightens 
at bigger speed. 

Summing up, and using {p*' — l)/{p — 1) < jP^^^ (since p > 5), 



p2k _ 2 



p-l 



45 3 
- 16^ 



Therefore, because #{3^ \ St) < p^ and hp^ ^ <P^ < jiV^^^^^ ^ we obtain 



*St 



p 



2k 



< 



p-l 

which ends the proof. 



#St 



- 1 



p'' - 1 



< 



45 
16 



1 

11 



5 J_ 
4 ' 55 



□ 



15 



Corollary 2 Let p be any prime number. Let t G {0, . . . ,p — 1}, and for each 
k > 1 we denote by Pk(t) the proportion of elliptic curves over ¥pk (modulo 
¥pk -isomorphism) for which the trace of Frobenius is congruent to t mod p. If 
t 0, then 

lim Pfc(i) = 

whereas 

lim Pk{0) = 0. 

fc— *oo 

Proof. If t ^ and p > 5, then the result easily follows from Theorem [6l see 
also the Appendix below. 

If t — 0, then the curves of consideration are supersingular, and by [201 
Theorem V.3.1] their j-invariants must be contained in Fp2. Using Corollary[31 
this implies 

24»2 

lim Pfe(O) < lim TTF =0. 

k^oo k^oo Zp 

If p = 2, the result then trivially follows from Pfe(O) + Pfe(l) = 1. 

If p = 3, this works similarly, since quadratic twisting provides a bijection 
between the set of elliptic curves having trace 1 mod 3, and the set of elliptic 
curves with trace 2 mod 3. □ 

Lemma 4 Let p > b be a prime number and let ca,b G B] be the coeffi- 

cient of xP^^ in 

(x^-^Ax + B)^ e¥p[A,B][x]. 

Then ca.b *s homogeneous of (2, 3) -weighted degree {p — l)/2, nonzero, and 
absolutely squarefree. As a consequence, for any 7 S Fp\{0}, the polynomial 

CA,B-1 eFp[A,s] 

is irreducible. 

Proof. One verifies that 



from which it immediately follows that ca,b is nonzero and homogeneous of 
degree {p — l)/2 if we equip A and B with weights 2 and 3 respectively. Now 



p-1 
6 



6 



where 5 equals or 1/3. From this we see that 

p — I P ^ f 
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equals or 1. In particular, since all coefficients in © are nonzero, we see that 
A appears as a factor at most once. Similarly, one checks that B appears as a 
factor at most once. 

Let g be obtained from ca.b by deleting the factors A and B when pos- 
sible. Define ea (resp. Eb) to be 1 if a factor A (resp. B) was deleted, and 
otherwise. Then ^ is still homogeneous, of degree (p — l)/2 — 2eA — Seb- 
After dividing by a suitable power of A and considering the resulting polynomial 
in the single variable B^ /A^, one verifies that g splits (over Fp) as 

c(B2 _ aiA^){B^ - a2A^) ■ ■ ■ {B^ ~ a,.^^) (10) 

with r — ^ {{p — l)/2 — 2eA — Seb) and all c, ^ 0. Each of these factors cor- 
responds to a ji 7^ 0, 1728 for which the elliptic curve over Fp with j-invariant 
ji is supersingular, and conversely all supersingular ^'-invariants different from 
0, 1728 must be represented this way. Now one has that the number of super- 
singular j-invariants different from 0, 1728 is precisely given by r (see the proof 
of [20j Theorem V. 4. 1(c)]). Therefore, all factors in pO|) must be different, and 
in particular ca,b must be squarefree. 

Now let 7 G Fp\{0} and suppose we had a nontrivial factorization 

CA,B-l={Fl+X^){F2+X2), 

where Fi and F2 are the components of highest degree of the respective factors. 
Then it follows that F1F2 — ca,b, so Fi and F2 cannot have a common factor. 
It also follows that 

X1F2 + X2F1 + X1X2 +7 = 0. (11) 

Let X[ and X2 be the components of highest degree of Xi and X2 respec- 
tively. Suppose degXii^2 > degX2Fi. Then X[F2 is zero, because it cannot be 
cancelled in pT|) . But then X[ = Xi = and wc run into a contradiction. By 
symmetry, we conclude that degXii^2 — degX2Fi. But then X[F2 +X2F1 = 0. 
So all factors of Fi must divide X[F2, which is impossible unless X[ = 0, and 
we again run into a contradiction. □ 

6 The probability of a point of order A^^ 

Let g be a prime power and let A'^ > 2 be any integer coprime to q. In this 
section we ask for the probability P'{N) that a random F^-isomorphism class 
E of elliptic curves over F^ has an Fg-rational point of order precisely N. It is 
well-known (see e.g. [20l Exercise 5.6]) that 

E{Wg),+ = Zk(BZ,n 

for integers k,m such that k\m and k\q — 1. Hence if gcd(iV, q — 1) = 1, then 
P'{N) equals the probability P{q + 1) that N\#E{¥g) (see Theorem[5]). 

As in the previous section we will use Theorem |4l which implies that P' 
behaves as a multiplicative arithmetic function of A^ as g ^ 00. So we can 
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assume that N = with ^ prime and t \ q. As we just explained, this is only 
interesting when £|g — 1. 

Theorem 7 Take ¥q and as above. Let v > I be the £-adic valuation of q~l 
and define O^t by 



1 



Pn+2i/-l(p2 



{P-l) 



if q ^ 1 mod £" , i.e. v > n, 



elsewhere. 



We have 



We refer to Section [2] for the definition of [L : K] and g^. The following small 
example might shed some light on the difference between Theorems [5] and [71 
Let ^" = 9, g = 1 mod 9 and E a random elliptic curve over F^. The probability 
P{q + 1) that ^E{¥q) = mod 9 approaches (for q oo) 11/72. However, the 
approximate probability that E has a point of order 9 is smaller, namely 9/72. 
A corollary is that the probabihty that i;(Fg)[9] = ^30^3 tends to 2/72. 

Proof of Theorem [71 Let E/¥q be an elliptic curve and Fe G GL2{Ze'^) 
the matrix of gth-power Frobenius with respect to any basis of E[i^]. If E has 
an Fg-rational point P of order then we can take any Q such that (P, Q) is 
a basis of and the matrix of Frobenius with respect to this basis equals 

(J™) for a certain w € Zg^. Moreover, Fe is GL2(Zfn)-conjugated to this 
matrix, and the converse implication holds as well: if Fe is in the conjugacy 
class of a matrix (0 g ), then E has an F^-rational point of order Note 
that this condition is equivalent to Fe having an eigenvector with eigenvalue 1 
which is not the zero vector modulo i. We will show that the number of such 
matrices equals 9l7^ ■ ^SL2{Zin). Then the theorem follows using precisely the 
same argument we explained in the beginning of the proof of Theorem [5l 

The conjugacy classes of matrices of the form ( ™ ) are determined by their 
representants Ma in Lemma [5l below. The size of the conjugacy class Cla of Ma 
can be computed as follows. Let Sta be the stabilizer subgroup of Ma, then the 
classical orbit-stabilizer theorem states that #Sta • #Cla = #GL2(2'£»i). Hence 
it suffices to compute the size of Sta- We know that (^ t ) G Sto if and only if 
( g j ) is invertible and 



[0 qj'[s tj [s tj'[0 q 
This condition is equivalent to the system (using a < v) 
frs = mod 



(12) 



(13) 

i''{t- x) = y{q- I) laodr. ^ ' 
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We can choose x and y at random, so that t = y{q — + x mod P^~°' and 

s = mod we find a total of f^""'"^" matrices satisfying ([12]) • From these we 

have to remove the singular matrices, which adds the condition xt = sy mod i. 
If a < we have by that s = mod £ and t = x mod £, hence the only 
additional restriction is that x = mod i. This gives ^2n+2a-i singular matrices 
and hence #Sta = ^2n+2a _ £2n+2a-i for a < I/. If z^ = n it is obvious that 
#C1„ = 1, so we are left with considering Sti, for v <n. As shown in the proof 
of Lemma [SJ the matrix ( o ) is conjugated to (09)1 ^ind now it is an easy 
exercise to compute the number #St^ = ^2«+2,._(2£2«-i_^2n-2-)^2i.^ Combined 
this gives that the number of matrices conjugated to some ( ^ ) where v < n 
equals (note that #GL2(Z^0 = £4n-4(^2 _ ^^(^2 _ 



E 

a=0 



- 1) - i){e -\) 

p.n+2a _ £2n+2a-l ^ £2n+2i/ _ 2£2n+2!y-l _j_ ^2n+2i/-2 



/!2n I /j2n — 2i/— 1 



Dividing this number by ^SL2(^fn) gives the theorem for v < n. If q 
1 mod ^" we similarly find 



E 



a=0 

This concludes the proof. 



£2n+2a _ £2n+2a-l 



+ ! = £ 



2n 



□ 



Lemma 5 Let = ord^((7 — 1). Each matrix over Zgn of the form (0 g") 
conjugated to precisely one matrix of 




0<a<iy 



Proof. First we show that (J^g ) with a > 1/ is conjugated to (o^J ). Write 
g = 1 + then 




1) 




Let 



£°-w' with w' a unit in Zi 

-1 



then 







which implies that at least one matrix of the above set is conjugated to (0 
The fact that all matrices Ma define different conjugacy classes follows either 
from a direct reasoning (assuming that two of them are conjugated, the trans- 
formation matrix will have determinant modulo £) or from the computations 
above which show that the conjugacy classes have different size. □ 
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In this section we excluded the case p\N. Note that E[p°°]{¥q) is always 
cyclic (and even trivial when E is supersingular). Therefore, asking for a point 
of order is the same as asking for p"-torsion, the probability of which was 
described by Howe (see the discussion following Theorem [T] in the introduction). 
We then see that the only gap towards a complete description of the probabil- 
ity that an elliptic curve has a point of order TV, is a proof of the presumed 
independence between N = p" and coprime to q. 

Note 2 It is possible to determine the probability of all kinds of group struc- 
tures in a similar way. For example, let < a < & be integers, £ a prime coprime 
to q and suppose we want to know the probability that 

E[i°°]{¥g) = Zea®Zt,,. 

This can be done as follows. Let S be the set of matrices M in GL2(2'^a+6+i) 
with determinant q for which the following conditions hold: 

(i) Tr(A/) ^q+1 mod r+^+i, 

(ii) Tr(M) = q+l mod 

(iii) M is conjugated to some (o ™) mod fi, and 

(iv) M = (1 ?) modr. 

Then the requested probability tends to / ^SL2{Z ga+b+i) . Note that this 
question was also considered by Gekeler in 12 in the alternative setting men- 
tioned in the introduction. 

Appendix: Twists, randomness, and disambiguations 

Quadratic twisting. The existing literature seems to contain varying definitions for 
the notion of quadratic twisting. We followed |20l X.2.4, Exercise A. 2], which we recall 
here. Let be a finite field and let E be an elliptic curve over Fg. If char(Fq) 7^ 2, 
one takes a short Weierstrass model = f{x) and a nonsquare d € F^. Then the 
quadratic twist of E is the curve E* defined by dy^ = f{x). Its Fq-isomorphism class 
does not depend on the choice of the Weierstrass model, nor on the choice of d. We 
have an F^-isomorphism l : E^ ^ E : {x,y) {x, y/dy)- If char(Fq) — 2 and j{E) 7^ 
then E allows a model 

2 32 
y + xy — X + a2X + aa 

(see [201 Appendix A]). Let d €¥q have trace 1, then it is of the form {3'^ + {3 for some 
P G Fq2 \ ¥q. The quadratic twist E^ is then given by 

y^ + xy = X'* + (a2 -|- d)x'^ + ag. 

This is again well-defined and we have an Fq-isomorphism l : E^ ^ E : {x,y) i—> 
{x, y + Px). Note that E can be Fq-isomorphic to its quadratic twist, take for instance 
g = 3 mod A, E : y^ = x'^ -\- x and d = —1. 

Let A'^ be a positive integer, coprime to q, and let (P, Q) be a basis of E[N\. Let 
F be the matrix of qth-power Frobenius acting on E[N] with respect to this basis. 
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Then it is an easy exercise to verify that —F is the matrix of gth-power Frobenius 
acting on E^[N] with respect to the basis (i,~^(P), (Q)). As a consequence, if J^e 
is the GL2(^jv)-conjugacy class associated to qth-power Frobenius acting on E[N], 
then —J-E ~ {—M \ M £ J-e} is the GL2(^jv)-conjugacy class associated to gth-power 
Frobenius acting on _E'[A^]. Note that the example above shows that one might have 
Te = -Te, even if iV > 2. 

The number of twists of an elliptic curve. The following formula, due to Howe, 
summarizes what we need. 

Theorem 8 Let ¥q be a finite field and E/¥q an elliptic curve. Let [-E]f, be the set 
of ¥ q-isomorphism classes of elliptic curves that are ¥q-isomorphic to E. Then 

Proof. See [m Proposition 2.1]. □ 



Corollary 3 One has #[-E]Fg > 2. If j{E) ^ 0, 1728, then this becomes an equality, 
and [-E]f, consists of E and its quadratic twist. Otherwise, we have the following 
upper bounds. If j{E) = 1728 and char(F,) / 2, 3 then #[-B]f, < 4. // j{E) = 
and char(F,) / 2, 3 then #[-B]f, < 6. //i(-B) = = 1728 and char(Fg) = 3 then 
#[-B]f, < 12. Finally, if j{E) = = 1728 and char(Fq) = 2 then #[-B]f, < 24. 

Proof. Since {±1} C AutF^(iJ'), one must have that #[-E]f, > 2. The upper bounds 
follow from AutF,(-B') C Autp (E') and [20l Theorem III. 10.1]. It remains to show 
that if j{E) 7^ 0, 1728, then E cannot be F^-isomorphic to its quadratic twist: in- 
deed, this would give a non-rational automorphism of E, which cannot exist since 
Aut^JiJ) = {±1}. □ 

Randomly chosen elliptic curves. Throughout this article, by a randomly chosen 
elliptic curve over F, we always meant that the Fq-isomorphism class of E was uni- 
formly randomly chosen among the Fg-isomorphism classes of elliptic curves over F,. 
Note that from Corollary [3] above it follows that the number of such Fq-isomorphism 
classes lies in [2q, 2q + 22] . 

We will now briefly comment on two common disambiguations. Suppose first that 
char(F5) > 3. Then it is natural to state that a random elliptic curve is given by 

^ x"^ + Ax + B 

where (A, B) was uniformly randomly chosen in the set 

S = {{A,B)& (FpO' I 44^ + 27B'' / 0} . 

Since not all Fg-isomorphism classes are represented by an equal number of pairs 
{A, B), this notion is nonequivalent to ours. However, as q gets big, the slight difference 
becomes negligible. Indeed, by Corollary |3] there are at most ten elliptic curves over 
¥q having j-invariant or 1728. These precisely correspond to the 2q — 2 Weierstrass 
models y'^ = + Ax + B for which AB = 0. All other Fg-isomorphism classes are 
represented by exactly {q — l)/2 couples {A,B) £ S. As a consequence, under the 
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extra condition that char(F5) > 3, Theorem [T] is still valid for this alternative notion 
of randomness. 

Another disambiguation is to consider an elliptic curve defined by 

2 3 2 

y + aixy + azy = x + a2X + a4X + aa 

for uniformly randomly chosen (ai, 02, as, a4, as) G subject to the appropriate 
smoothness condition. Again one can verify that Theorem [T] is still valid under this 
notion of randomness. 

References 

[1] J. Achter, The distribution of class groups of function fields, J. Pure Appl. Alg. 
204 (2) (2006), pp. 316-333 

[2] J. Achter, Results of Cohen-Lenstra type for quadratic function fields. Com- 
putational Arithmetic Geometry, eds. K. Lauter and K. Ribet, Contemporary 
Mathematics (463), American Mathematical Society, 2008 

[3] J. Achter and D. Sadornil, On the probability of having rational ^-isogenics. Arch. 
Math. 90 (2008), pp. 511-519 

[4] B. Birch, How the number of points of an elliptic curve over a fixed prime field 
varies, J. London Math. Soc. 43 (1968), pp. 57-60 

[5] H. Carayol, La conjecture de Sato- Tate, Seminaire Bourbaki 977, 59°™'' annee, 
2006-2007 

[6] N. Chavdarov, The generic irreducibility of the numerator of the zeta function 
in a family of curves with large monodromy, Duke Math. J. 87 (1) (1997), pp. 
151-180 

[7] P. Deligne, La conjecture de Weil: II, Publ. Math. IHES 52 (1980), pp. 137-252 

[8] P. Deligne, M. Rapoport, Les schemas de modules de courbes elliptiques, Proc. 
Int. Summer School Antwerp, Lecture Notes in Math. 349, Springer- Verlag 
(1973), pp. 143-174 

[9] M. Fried, M. Jarden, Field Arithmetic, Ergebnisse der Mathematik und ihrer 
Grenzgebiete, 3. Folge, Bd. 11, Springer- Verlag (1986) 

[10] S. Galbraith, J. McKee, The probability that the number of points on an elliptic 
curve over a finite field is prime, J. London Math. Soc. 62 (3) (2000), pp. 671-684 

[11] E.-U. Gekeler, Frobenius distributions of elliptic curves over finite prime fields, 
Int. Math. Res. Not. 37 (2003), pp. 1999-2018 

[12] E.-U. Gekeler, The distribution of group structures on elliptic curves over finite 
prime fields, Documenta Math. 11 (2006), pp. 119-142 

[13] E.-U. Gekeler, Statistics about elliptic curves over finite prime fields, Manuscripta 
Math. 127 (2008), pp. 55-67 



22 



[14] E. Howe, On the group orders of elliptic curves over finite fields, Compositio 
Math. 85 (1993), pp. 229-247 

[15] J.-I. Igusa, Fibre systems of Jacobian varieties III: Fibre systems of elliptic curves. 
Am. Journal of Math. 81 (1959), pp. 453-476 

[16] J.-I. Igusa, Kroneckerian model of fields of elliptic modular functions. Am. Journal 
of Math. 81 (1959), pp. 561-577 

[17] N. Katz, P. Sarnak, Random Matrices, Frobcnius Eigenvalues, and Monodromy, 
Colloquium publications 45, Am. Math. Soc. (1998) 

[18] K. Kedlaya, A. Sutherland, Hyperelliptic curves, L-polynomials, and random 
matrices, to appear in the lecture notes of AGCT-11, Contemporary Mathematics 

[19] H. Lenstra, Factoring integers with elliptic curves. Annals of Math. 126 (2) (1987), 
pp. 649-673 

[20] J. Silverman, The arithmetic of elliptic curves, Graduate Texts in Mathematics 

106, Springer (1985) 

[21] S. Vladut, Cyclicity statistics for elliptic curves over finite fields. Finite Fields 
Appl. 5 (1999), pp. 13-25 



23 



